SYNful Knock is described by FireEye as a “stealthy modification of the router's firmware” that is modular and thus easily updated once inserted into a router. The initial infection helps the attacker install a back door into the system, which can be quite difficult to find and remove, but easily accessed by the attacker.

“The implant consists of a modified Cisco IOS image that allows the attacker to load different functional modules from the anonymity of the internet. The implant also provides unrestricted access using a secret backdoor password,” FireEye said in its report.

FireEye said if either the implant or an unauthorized back door is found it most likely indicates the system is compromised.

On a positive note there is slight chance that SYNful Knock will spread on its own.

“As of right now, that is not the greatest concern. SYNful Knock is not self-propagating, thus it would require the attacker to actively infect additional Cisco routers or routers from another company,” a FireEye spokesman told SCMagazine.com in an email Wednesday.